Add user invalidation handling (#3804)

* Add user invalidation handling

* Formatting

Author: sam-gc

packages-exp/auth-exp/src/core/user/account_info.ts

@@ -23,6 +23,7 @@ import {
 } from '../../api/account_management/email_and_password';
 import { updateProfile as apiUpdateProfile } from '../../api/account_management/profile';
 import { User } from '../../model/user';
+import { _logoutIfInvalidated } from './invalidation';
 import { _reloadWithoutSaving } from './reload';
 
 interface Profile {
@@ -41,7 +42,10 @@ export async function updateProfile(
   const user = externUser as User;
   const idToken = await user.getIdToken();
   const profileRequest = { idToken, displayName, photoUrl };
-  const response = await apiUpdateProfile(user.auth, profileRequest);
+  const response = await _logoutIfInvalidated(
+    user,
+    apiUpdateProfile(user.auth, profileRequest)
+  );
 
   user.displayName = response.displayName || null;
   user.photoURL = response.photoUrl || null;
@@ -91,6 +95,9 @@ async function updateEmailOrPassword(
     request.password = password;
   }
 
-  const response = await apiUpdateEmailPassword(auth, request);
+  const response = await _logoutIfInvalidated(
+    user,
+    apiUpdateEmailPassword(auth, request)
+  );
   await user._updateTokensIfNecessary(response, /* reload */ true);
 }

packages-exp/auth-exp/src/core/user/invalidation.test.ts

@@ -0,0 +1,90 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect, use } from 'chai';
+import * as chaiAsPromised from 'chai-as-promised';
+
+import { FirebaseError } from '@firebase/util';
+
+import { testAuth, testUser } from '../../../test/helpers/mock_auth';
+import { Auth } from '../../model/auth';
+import { User } from '../../model/user';
+import { AUTH_ERROR_FACTORY, AuthErrorCode } from '../errors';
+import { _logoutIfInvalidated } from './invalidation';
+
+use(chaiAsPromised);
+
+describe('src/core/user/invalidation', () => {
+  let user: User;
+  let auth: Auth;
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    user = testUser(auth, 'uid');
+    await auth.updateCurrentUser(user);
+  });
+
+  function makeError(code: AuthErrorCode): FirebaseError {
+    return AUTH_ERROR_FACTORY.create(code, { appName: auth.name });
+  }
+
+  it('leaves non-invalidation errors alone', async () => {
+    const error = makeError(AuthErrorCode.TOO_MANY_ATTEMPTS_TRY_LATER);
+    await expect(
+      _logoutIfInvalidated(user, Promise.reject(error))
+    ).to.be.rejectedWith(error);
+    expect(auth.currentUser).to.eq(user);
+  });
+
+  it('does nothing if the promise resolves', async () => {
+    await _logoutIfInvalidated(user, Promise.resolve({}));
+    expect(auth.currentUser).to.eq(user);
+  });
+
+  it('logs out the user if the error is user_disabled', async () => {
+    const error = makeError(AuthErrorCode.USER_DISABLED);
+    await expect(
+      _logoutIfInvalidated(user, Promise.reject(error))
+    ).to.be.rejectedWith(error);
+    expect(auth.currentUser).to.be.null;
+  });
+
+  it('logs out the user if the error is token_expired', async () => {
+    const error = makeError(AuthErrorCode.TOKEN_EXPIRED);
+    await expect(
+      _logoutIfInvalidated(user, Promise.reject(error))
+    ).to.be.rejectedWith(error);
+    expect(auth.currentUser).to.be.null;
+  });
+
+  context('with another logged in user', () => {
+    let user2: User;
+
+    beforeEach(async () => {
+      user2 = testUser(auth, 'uid2');
+      await auth.updateCurrentUser(user2);
+    });
+
+    it('does not log out user2 if the error is user_disabled', async () => {
+      const error = makeError(AuthErrorCode.USER_DISABLED);
+      await expect(
+        _logoutIfInvalidated(user, Promise.reject(error))
+      ).to.be.rejectedWith(error);
+      expect(auth.currentUser).to.eq(user2);
+    });
+  });
+});

packages-exp/auth-exp/src/core/user/invalidation.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { FirebaseError } from '@firebase/util';
+
+import { User } from '../../model/user';
+import { AuthErrorCode } from '../errors';
+
+export async function _logoutIfInvalidated<T>(
+  user: User,
+  promise: Promise<T>
+): Promise<T> {
+  try {
+    return await promise;
+  } catch (e) {
+    if (e instanceof FirebaseError && isUserInvalidated(e)) {
+      if (user.auth.currentUser === user) {
+        await user.auth.signOut();
+      }
+    }
+
+    throw e;
+  }
+}
+
+function isUserInvalidated({ code }: FirebaseError): boolean {
+  return (
+    code === `auth/${AuthErrorCode.USER_DISABLED}` ||
+    code === `auth/${AuthErrorCode.TOKEN_EXPIRED}`
+  );
+}

packages-exp/auth-exp/src/core/user/link_unlink.ts

@@ -19,13 +19,14 @@ import * as externs from '@firebase/auth-types-exp';
 
 import { deleteLinkedAccounts } from '../../api/account_management/account';
 import { _processCredentialSavingMfaContextIfNecessary } from '../../mfa/mfa_error';
+import { User, UserCredential } from '../../model/user';
 import { AuthCredential } from '../credentials';
 import { AuthErrorCode } from '../errors';
 import { assert } from '../util/assert';
 import { providerDataAsNames } from '../util/providers';
+import { _logoutIfInvalidated } from './invalidation';
 import { _reloadWithoutSaving } from './reload';
 import { UserCredentialImpl } from './user_credential_impl';
-import { User, UserCredential } from '../../model/user';
 
 /**
  *  This is the externally visible unlink function
@@ -61,9 +62,9 @@ export async function _link(
   user: User,
   credential: AuthCredential
 ): Promise<UserCredential> {
-  const response = await credential._linkToIdToken(
-    user.auth,
-    await user.getIdToken()
+  const response = await _logoutIfInvalidated(
+    user,
+    credential._linkToIdToken(user.auth, await user.getIdToken())
   );
   return UserCredentialImpl._forOperation(
     user,

packages-exp/auth-exp/src/core/user/reauthenticate.ts

@@ -16,12 +16,14 @@
  */
 
 import { OperationType } from '@firebase/auth-types-exp';
+
 import { _processCredentialSavingMfaContextIfNecessary } from '../../mfa/mfa_error';
 import { User } from '../../model/user';
 import { AuthCredential } from '../credentials';
 import { AuthErrorCode } from '../errors';
 import { assert, fail } from '../util/assert';
 import { _parseToken } from './id_token_result';
+import { _logoutIfInvalidated } from './invalidation';
 import { UserCredentialImpl } from './user_credential_impl';
 
 export async function _reauthenticate(
@@ -32,11 +34,14 @@ export async function _reauthenticate(
   const operationType = OperationType.REAUTHENTICATE;
 
   try {
-    const response = await _processCredentialSavingMfaContextIfNecessary(
-      user.auth,
-      operationType,
-      credential,
-      user
+    const response = await _logoutIfInvalidated(
+      user,
+      _processCredentialSavingMfaContextIfNecessary(
+        user.auth,
+        operationType,
+        credential,
+        user
+      )
     );
     assert(response.idToken, AuthErrorCode.INTERNAL_ERROR, { appName });
     const parsed = _parseToken(response.idToken);

packages-exp/auth-exp/src/core/user/reload.ts

@@ -22,14 +22,18 @@ import {
   ProviderUserInfo
 } from '../../api/account_management/account';
 import { User } from '../../model/user';
-import { UserMetadata } from './user_metadata';
-import { assert } from '../util/assert';
 import { AuthErrorCode } from '../errors';
+import { assert } from '../util/assert';
+import { _logoutIfInvalidated } from './invalidation';
+import { UserMetadata } from './user_metadata';
 
 export async function _reloadWithoutSaving(user: User): Promise<void> {
   const auth = user.auth;
   const idToken = await user.getIdToken();
-  const response = await getAccountInfo(auth, { idToken });
+  const response = await _logoutIfInvalidated(
+    user,
+    getAccountInfo(auth, { idToken })
+  );
 
   assert(response?.users.length, AuthErrorCode.INTERNAL_ERROR, {
     appName: auth.name

packages-exp/auth-exp/src/core/user/user_impl.ts

@@ -17,6 +17,7 @@
 
 import * as externs from '@firebase/auth-types-exp';
 import { NextFn } from '@firebase/util';
+
 import {
   APIUserInfo,
   deleteAccount
@@ -29,8 +30,9 @@ import { AuthErrorCode } from '../errors';
 import { PersistedBlob } from '../persistence';
 import { assert } from '../util/assert';
 import { getIdTokenResult } from './id_token_result';
+import { _logoutIfInvalidated } from './invalidation';
 import { ProactiveRefresh } from './proactive_refresh';
-import { reload, _reloadWithoutSaving } from './reload';
+import { _reloadWithoutSaving, reload } from './reload';
 import { StsTokenManager } from './token_manager';
 import { UserMetadata } from './user_metadata';
 
@@ -83,9 +85,9 @@ export class UserImpl implements User {
   }
 
   async getIdToken(forceRefresh?: boolean): Promise<string> {
-    const accessToken = await this.stsTokenManager.getToken(
-      this.auth,
-      forceRefresh
+    const accessToken = await _logoutIfInvalidated(
+      this,
+      this.stsTokenManager.getToken(this.auth, forceRefresh)
     );
     assert(accessToken, AuthErrorCode.INTERNAL_ERROR, {
       appName: this.auth.name
@@ -184,7 +186,7 @@ export class UserImpl implements User {
 
   async delete(): Promise<void> {
     const idToken = await this.getIdToken();
-    await deleteAccount(this.auth, { idToken });
+    await _logoutIfInvalidated(this, deleteAccount(this.auth, { idToken }));
     this.stsTokenManager.clearRefreshToken();
 
     // TODO: Determine if cancellable-promises are necessary to use in this class so that delete()

packages-exp/auth-exp/src/mfa/mfa_user.ts

@@ -16,12 +16,13 @@
  */
 import * as externs from '@firebase/auth-types-exp';
 
-import { User } from '../model/user';
-import { MultiFactorSession } from './mfa_session';
-import { MultiFactorAssertion } from './assertions';
 import { withdrawMfa } from '../api/account_management/mfa';
 import { AuthErrorCode } from '../core/errors';
+import { _logoutIfInvalidated } from '../core/user/invalidation';
+import { User } from '../model/user';
+import { MultiFactorAssertion } from './assertions';
 import { MultiFactorInfo } from './mfa_info';
+import { MultiFactorSession } from './mfa_session';
 
 export class MultiFactorUser implements externs.MultiFactorUser {
   enrolledFactors: externs.MultiFactorInfo[] = [];
@@ -50,10 +51,9 @@ export class MultiFactorUser implements externs.MultiFactorUser {
   ): Promise<void> {
     const assertion = assertionExtern as MultiFactorAssertion;
     const session = (await this.getSession()) as MultiFactorSession;
-    const finalizeMfaResponse = await assertion._process(
-      this.user.auth,
-      session,
-      displayName
+    const finalizeMfaResponse = await _logoutIfInvalidated(
+      this.user,
+      assertion._process(this.user.auth, session, displayName)
     );
     // New tokens will be issued after enrollment of the new second factors.
     // They need to be updated on the user.
@@ -68,10 +68,13 @@ export class MultiFactorUser implements externs.MultiFactorUser {
     const mfaEnrollmentId =
       typeof infoOrUid === 'string' ? infoOrUid : infoOrUid.uid;
     const idToken = await this.user.getIdToken();
-    const idTokenResponse = await withdrawMfa(this.user.auth, {
-      idToken,
-      mfaEnrollmentId
-    });
+    const idTokenResponse = await _logoutIfInvalidated(
+      this.user,
+      withdrawMfa(this.user.auth, {
+        idToken,
+        mfaEnrollmentId
+      })
+    );
     // Remove the second factor from the user's list.
     this.enrolledFactors = this.enrolledFactors.filter(
       ({ uid }) => uid !== mfaEnrollmentId